Forum Stats

  • 3,769,913 Users
  • 2,253,030 Discussions
  • 7,875,236 Comments

Discussions

Serialization Filter in Java 1.7.0_211?

BigBrew
BigBrew Member Posts: 1

Hello,

Background info:  WebLogic 10.3.6 running under Java 1.7.0_211 on Solaris

We are seeing rejections from the Object Input Filter in our server log.  For example:

java.io.ObjectInputStream filterCheck

INFO: ObjectInputFilter REJECTED: class java.rmi.server.RemoteObjectInvocationHandler, array length: -1, nRefs: 7, depth: 2, bytes: 230, ex: n/a

My questions are fairly basic:  Both the jdk.serialFilter and the sun.rmi.registry.registryFilter properties are NOT set via the command line nor in the java.security file (commented out).  So why is any filtering occurring at all?  I've been down the rabbit hole of the JDK source for java.io.ObjectInputStream and a decompiled sun.misc.ObjectInputFilter.  I cannot see where any filtering should be occurring if the filter property is not set.  Is there a default being set somewhere?  I've attempted to open up the filtering by setting jdk.serialFilter=* in the java.security file, but that just caused the server to fail start up due to a reject on a "null" class:

java.io.ObjectInputStream filterCheck

INFO: ObjectInputFilter REJECTED: null, array length: -1, nRefs: 501, depth: 13, bytes: 7948, ex: n/a

Any insight would be appreciated.

Thanks,

Bob

Answers